MAL-2026-4554
Vulnerability from ossf_malicious_packages
Published
2026-05-20 02:40
Modified
2026-05-26 05:55
Summary
Malicious code in ethers-wallet-packages (npm)
Details
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (beda1480a40189cc8177ace4e3d6fd9773ad81f4cbe5a6c07e3004427846dc8d)
The package impersonates the legitimate @ethersproject/wallet (source files are otherwise verbatim copies, including the internal version string 'wallet/5.8.0'). lib/index.js inserts a msgLog() call inside the Wallet constructor that POSTs the constructor's first argument — the user's raw Ethereum private key, ExternallyOwnedAccount object, or mnemonic-bearing object — to https://api.telegram.org/bot/sendMessage with a hardcoded chat_id. Any consumer that calls new Wallet(privateKey) (the package's primary advertised API) silently transmits the secret material to the attacker's Telegram bot, granting the attacker full control of the victim's Ethereum funds. Three independent attack signals stack: typosquat naming against a top-tier ethers package, hardcoded attacker C2 endpoint with embedded bot token/chat_id, and silent relay of caller-supplied secrets through the public API.
CWE
Credits
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "lib/index.js",
"sha256": "0caa9fd13fd9e25d83a2c61ff9cadb2e423c2815c88cb2508958b7097ac5597a",
"tlsh": "db528445fbe371244257b5b8d51f9849f57ec94b40cccd64ba0cd2926f6082c8bfaab8"
},
{
"path": "package.json",
"sha256": "f24a22b18457c1c05eb6365f9d827480d46d28e10ea912c6dfe2ca313415ebd0",
"tlsh": "07315941c93dcee757cc1a94441d68cab13a48174844b85d339a492a4f8f32f2efd94f"
}
],
"package_integrity": [
{
"filename": "ethers-wallet-packages-5.8.0.tgz",
"hashes": {
"sha1": "9f96ef310c10cc2840b229390e8b6e41e999bb51",
"sha512_sri": "sha512-5U8Tt2RTmh6Z5ULvFHdm1mbBgySOuzX9CwhpvofOa21ksmLvyHk8LMUcgiiqpCULNVIMjnRhMvm55giRs2QRTQ=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "ethers-wallet-packages"
},
"versions": [
"5.8.0",
"5.8.2"
]
}
],
"credits": [
{
"contact": [
"actran@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-003431",
"import_time": "2026-05-26T05:50:37.745015249Z",
"modified_time": "2026-05-20T02:41:36Z",
"sha256": "0a5fb9b700c42ee655b19af84771cbe4f0fba108b91c523aba79c75abb279451",
"source": "amazon-inspector",
"versions": [
"5.8.0"
]
},
{
"id": "IN-MAL-2026-003430",
"import_time": "2026-05-26T05:50:37.639770885Z",
"modified_time": "2026-05-20T02:40:25Z",
"sha256": "beda1480a40189cc8177ace4e3d6fd9773ad81f4cbe5a6c07e3004427846dc8d",
"source": "amazon-inspector",
"versions": [
"5.8.2"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (beda1480a40189cc8177ace4e3d6fd9773ad81f4cbe5a6c07e3004427846dc8d)\nThe package impersonates the legitimate @ethersproject/wallet (source files are otherwise verbatim copies, including the internal version string \u0027wallet/5.8.0\u0027). lib/index.js inserts a msgLog() call inside the Wallet constructor that POSTs the constructor\u0027s first argument \u2014 the user\u0027s raw Ethereum private key, ExternallyOwnedAccount object, or mnemonic-bearing object \u2014 to https://api.telegram.org/bot\u003credacted\u003e/sendMessage with a hardcoded chat_id. Any consumer that calls `new Wallet(privateKey)` (the package\u0027s primary advertised API) silently transmits the secret material to the attacker\u0027s Telegram bot, granting the attacker full control of the victim\u0027s Ethereum funds. Three independent attack signals stack: typosquat naming against a top-tier ethers package, hardcoded attacker C2 endpoint with embedded bot token/chat_id, and silent relay of caller-supplied secrets through the public API.\n",
"id": "MAL-2026-4554",
"modified": "2026-05-26T05:55:02Z",
"published": "2026-05-20T02:40:25Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/ethers-wallet-packages/v/5.8.0"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/ethers-wallet-packages/v/5.8.2"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in ethers-wallet-packages (npm)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…